Cuttlefish is malware that targets small office and home office (SOHO) routers, especially enterprise-grade routers. This modular malware is designed to primarily monitor all traffic to steal authentication data from web requests that transit the router from the adjacent local area network (LAN).
The secondary function is to give the capacity to perform both DNS and HTTP hijacking for connections to private IP space associated with communications on an internal network and potentially introduce more malware payloads. Cuttlefish can manipulate DNS requests and HTTP traffic to redirect users to malicious websites, while HTTP hijacking can lead to the interception and manipulation of data in transit.
Lumen Technologies’ Black Lotus Labs examined the new malware. They reported that Cuttlefish malware creates a proxy or VPN tunnel on the compromised router, allowing it to exfiltrate data while bypassing security measures that detect unusual sign-ins.
The Cuttlefish malware has been operational since at least July 27, 2023. The most recent attack campaign occurred between October 2023 and April 2024, targeting primarily 600 distinct IP addresses linked to two Turkish telecommunications providers.
Technical Details – Malicious files (bash script)
The deployed bash script begins to reconnaissance the device for details such as directory listing, the contents of /etc, running processes, mounts, and active connections. After gathering this information and the contents of the “/etc/config” file, it compresses all the data and labels the resulting file “co.tmp.tar.gz.” The content is posted to the URL hxxps://kkthreas[.]com/upload, which is owned by the actor.
The upload of the contents file has been deleted from the cuttlefish-infected device. The final command in the bash script is retrieving the trojan from the payload server located at the hxxp://209.141.49[.]178/dajfdsfadsfa/{architecture}. This trojan file is then hidden in the tmp directory and named “.timezone”. Permissions are changed to allow the file to be executable by any user.
When the ”.timezone” is up and running in memory, it is deleted from the file system to harper recovery efforts. The primary file path was made to accommodate an ARM-based payload; however, alternate file paths are included that are compatible with all the main router architectures: i386, i386_i686, i386_x64, mips32, and mips64.
Detection and Prevention
- Keep router firmware up-to-date and patched to fix known vulnerabilities.
- Be sure to use strong authentication credentials for router administration and change them periodically.
- Monitor all network traffic and user logs to detect any unusual activity.
- Implement robust security measures, such as firewalls and intrusion detection systems(IPS), to block suspicious traffic.
~ Author : Hashan Nethkalum ~